thanks for the reply. I'm running NetSight 6.2. But what has the NetSight Version to do whether the wireless controller sends out netflow packets or not? In my opinion this is more WIreless controller related.

The 9.21 Wireless controller is sending out Netflow packets... However, it is sending it on Port 2095. NS/Purview6.2 does not listen on that port and therefore does not display any Netflow data. You need Purview6.3 in order to receive and analyze the records.

Therefore you need a minimum base of NetSight/Purview 6.3 in order for the integration to work correctly.

I've a single SSID/BYOD/NAC deployment with most of my APs in the office but also some in remote/home offices.

I'm not sure what the correct way is to enable Purview data collection....Should/could I globaly enable it on the SSID but disable it for the role home office (bridge@AP).It would make no sense to mirror all traffic back via the slow WAN link to the Purview engine.

Or should I leave WLAN service mirror disabled and enable it only on the role level (the bridge@EWC & routed roles).

What is the difference... on the WLAN service the selection is "enable both directions" but in the role the option is only "enabled".Does it give the same information back to Purview ?

The definition in the WLAN Service will work as the catch-all policy. Policy has precedence.

So in your example, if you want to capture all the traffic on the service except specific roles, simply set the service to 'Enable' - both directions recommended to get by-directional view of the traffic.

For any Roles you want to exclude, simply set their default action Traffic Mirror to 'Prohibited'.

If you have both Role and Service set to Enable, then there's no discrepancy and any traffic from that role on that service is N-Mirrored.

1) controller mirror portIs the traffic send untagged or is the tag from the respective role used to forward the traffic to Purview?

2) mirror N packetsIf I unterstand it correctly only the first 15 packets/flow are mirrored to Purview per default.So I should be able to enable it also for remote/branch offices without having all data copied back to the controller, right ?

1) Traffic to the MU (NET to MU) if carrying a VLAN tag when received at the Appliance/AP will be mirrored as is (With VLAN tag)

Traffic from the MU (MU to NET) will always be mirrored as received from the wireless (post 802.3) which does not include the VLAN tag.

2) It depends on the topology configuration. For Bridged@Controller topologies all traffic is relayed back to the controller for N-Mirroring filtering and NetFlow metrics. Note: if mirroring applicable (Rule, Role or Service) the AP will still mirror back all traffic that is 'denied' by a Filtering@AP (controller will discard from the VLAN any such traffic, but will still mirror on Purview)

For Bridged@AP topologies, the AP will mirror only up to the first N-frames of a flow. Note2: AP will mirror up to N-Frames of any flow even if "Denied' by filtering at AP (so that Purview has complete view of all traffic intended to/by the user)

When i use TAGGED on any ESA the traffic don ́t appear on Purview, if the interface outside configured was untagged the purview show the connections, if tagged packets the purview count but not appear on dashboard. Any idea??

I choose plug controller direct to the VM (C5210). If you call "tcpdump" the traffic exist and statitisc of purview appears. I have the same scenario but with traffic untagged and purivew show the traffic and informations. But with Tagged, no show

Luis, is the customer platform running on a VM? It would need to be responsible likely for decoding the tagged packet and forwarding to the PurviewVM.a tcpdump, if seen with packets like above, should indicate your getting netflow packets to the purview appliance. The purview appliance must then be sending data back to the Netsight appliance to display the data. As mentioned above, sometimes the Netsight appliance is used for looking at applications flow, it is the default , and needs to be changed to the Purview appliance.

Mike, The customer has a VM, the VM and Netsight has on the same server. On my lab, the purview show the information, but on the customer not. If you see the image attach, you will see the information of my lab and customer

We are bridging traffic at the AP, tagged in specific Vlans.
I see both the Netflow traffic and the Mirrored traffic on the Purview appliance if I run a TCPDUMP for both the management and mirror ports.
But We still do not see and "Applications Flows".
I will test this with B@AP but untagged.

I have deployed PV and EWC in recommended versions, follow the GTAC document how to configure and apparently can not see any traffic on eth0 and eth1 interface of PV. It means no flow and no mirror. Any suggestions what I am doing wrong?

Is it Hyper-V or VMWare install? Permiscous mode on the ports is needed for the mirror interface anyways. Seeing no traffic however is a sign of another problem more than likely. Like the virtual switch may be broken.﻿

How should I proceed with troubleshooting when PV gets NetFlow reports (I can see them via tcpdump from both EWCs that create H/A pair) but it doesn't get MirrorN via L2 port?

I've set eth1 and eth2 in PV for mirror, as one is for the LAN, and another is for EWCs. Then I put the eth in a separate vSwitch (promisc accept) with one 4095 VID port group (promisc accept), where also mirror ports of both EWCs are inserted.

I am concerned about output of OneView->Applications->Configuration->Purview Appliances->purview->Status->Diagnostics->Configuration Verification:--------------------------------------------------Process appid is running at pid 7927Process appidserver is running at pid 7947--------------------------------------------------Checking for traffic on interface eth1Checking for traffic on interface eth2Checking for Netflow records on interface eth0..Checking for Netflow records on interface eth1..Checking for IPFIX records on loopback interface..--------------------------------------------------Waiting for captures to complete..Mirror appears to be setup correctly on eth1.Mirror appears to be setup correctly on eth2.NOTE - Netflow does not appear to be setup to send to this host correctly. <<<IPFIX appears to be setup correctly.--------------------------------------------------

If needed I can share with all the details of steps I've made to configure PV/EWC.

Regards,Tomasz

EDIT: Tcpdumping the esa1 at EWC doesn't show anything.I am testing using mobile playing Youtube movies, with B@AP topology.

The issue with EWC and Purview was connected withsize of EWC virtual machine resources. If I had EWC with small amount of resources => EWC Small, EWC did not send any data to Purview (Netflow). When I have changed size of controller to Medium everything was OK and Purview started to work fine.

I have a case open... 2 months and all questions. all that was asked me I said , I sent screenshots I only requested a remote access someone who has already run the purview with wireless. I have 3 customers who are interested but want to see the working solution

We have worked with Luis Mendes via remote session and we believe we have identified the root cause. The Admin interface cannot be used as the source interface for netflow traffic. We have suggested to have the admin interface disabled and configure one of the available physical interfaces (esa0-3) for management of the controller and to be used as the source for the netflow traffic.

Hello all, as soon as i enable the netflow mirror L2 port (esa1) to the purview appliance all of the wireless traffic stops. all clients are still connected to the AP's but are not able to pass traffic. NMS,NAC,Purview & WLC are virtual.. Purview configured with option 1, single interface. Any ideas?

James, I am not a VMware design expert - but the ESA port would need to be sent out a specific VLAN, probably tagged in this case, so it can get to the other sides Purview appliance VM Eth1 port. The wireless controller cannot do a Gre tunnel like the PV-FC-180 and S-Series so you will need to work around that.Others here may have more experience in the actual configuration from a Vswitch end.

We have two EWCs, each on different hosts, running active/active, and I'm trying to figure out how to setup one Extreme Analytics (Purview) VM, where both controllers will forward their Netflow? We aren't licensed to use Vmware's distributed switch so we have to use standard switch. Has anyone done this before? or would it be best to setup a Analytics VM on each of VM hosts where my EWC sits, as EWC esa1 and Analytics eth1, need to sit on the same Standard vSwitch.

Hi James. So far I implemented this yesterday, and it seems to be working. We have a vmware essentials plus license, so we can't use" distributed virtual switch". But if you have the license one above that, which I think is vmware enterprise, then you should be able to use one purview vm, and have a distributed virtual switch spanning across multiple vm hosts, for the EMC esa1 and purview etgh1 to plug into. If I remember correctly, I think this distributed virtual switch needs to be set to mirroring. This is all from what I've read, and unfortunately I can't confirm as I don't have the license.

From what I've done:VM Host 1-EMC1-Analytics Purview 1 VM-Standard Switch in promiscuous mode, using dedicated L2 port connected to our switch (EMC1 esa1, and Purview1 eth1 connected to this virtual switch)-On our switch, I created a vlan, "analytics" to isolate traffic on this standard switch

While we do have Enterprise Plus vSphere, but switching to a distributed virtual switch is a big config change, so I went with the config you have above (although I assume you mean EWC not EMC). There's a few things that are covered in comments above, like using VLAN 4095 to get all data, but one thing that isn't is that you can't use the EMC to configure Wireless Controller Flow Sources, as it'll try to add both controllers of the HA pair to one capture appliance, which is exactly what you don't want. Instead, set them up manually in each EWC, and then they show up in EMC later. I also set up a DRS rule to keep the EWC and Purview VMs on the same host.

One thing I learnt while researching VMware dvSwitching is it supports Encapsulated Remote Mirroring (L3) which is a GRE port mirror. So it's conceivable that you could set that up and point it at the purview VM like you would with a CoreFlow2 GRE source. Also, now I realise I can capture normal traffic from my S4 to wireshark on my desktop.